Spot the bot: Identifying robot behavior to defeat DDOS attacks

By William Jackson

Sep 14, 2012

Government websites have been frequent targets of distributed denial of service attacks, which attempt to overwhelm a Web server with so many requests that the site becomes unavailable. Spotting such an attack in the early going would help fend it off, but that can depend on what type of DDOS attack it is.

Spotting and blocking a brute force Layer 4 (Transport Layer) denial-of-service attack is relatively simple, although defense can be complicated by distributing the attack across a number of compromised computers in a botnet to reduce the volume from any one address, or through other camouflage techniques.

A Layer 7 attack is another, more difficult, matter. It comes in at the Application Layer after a technically legitimate connection has been established with the target and overwhelms the application with a large number of otherwise legitimate requests.

Excessive requests can be spotted and rejected, but when they are distributed across a botnet or a network of accomplices it can be difficult to distinguish the legitimate from the hostile. Defenders risk either blocking legitimate requests (false positives) or allowing malicious requests to go through (false negatives). Which of these is worse depends on your mission and your resources, but neither is desirable.

Fortunately there usually is a common characteristic of malicious traffic: It is being generated by an automated tool of some kind. So the challenge becomes, how do you spot the bot?

The Hillsborough County, Fla., Sheriff’s Office is using a hosted service from Black Lotus Communications that uses proprietary algorithms to identify automated malicious traffic.

The company began developing its Human Behavior Analysis in 2009 as a response to Layer 7 DDOS attacks. Customer traffic is routed through the HBA engine to answer the question, “human, or not human?” If traffic is human, it is passed along to its destination. If not, it is flagged for further observation and analysis for malicious behavior.

How does it know? Black Lotus CEO Jeffrey Lyon won’t go into detail except to say the algorithms rely on collected experience of the behavior of traffic generated by real people.

“A robot will mimic human behavior, but a robot will always act like a robot,” Lyon said. The algorithms look for those fabricated patterns that do not match human behavior.

Black Lotus’s HBA is not the first tool to spot and block DDOS attacks, but Lyon said he believes it is the first that is website agnostic; that is, it does not depend on patterns generated by visitors to a specific site. That means that — if it works — it should be able to identify DDOS traffic to any customer’s site out of the box.

Lyon said HBA, which was only recently announced, does have a successful track record in the field. The Hillsborough County Sheriff Office, which adopted the service as an added layer of defense in anticipation of August’s GOP convention in Tampa, is happy with it and is keeping it, although department CIO Christopher Peek said that in its first two months it has not yet been called upon to block an attack.

Lyon said the algorithms are constantly being tuned.

“I am sure there will always be challenges,” he said. “I don’t want to say that any system is foolproof. But there will always be something that will identify a robot as a robot. The challenge will be how apparent it is.”